I was hacked

From the sunday, I’ve hacked by an unknowed. The hacker add a malicoious script when a visitors arrive from google, the script send them to another search page, with the same string that the user wants to find in Google.

The hacker add this malicious code to an image of my weblog -an image of a post blog- and the hacker add the image to work like a plugin in the MySQL database.

Ifn anything needs more information about the attack, my visitors goes to your-needs.info finding the same string that they find at Google.

If you want to fix by the moment, you can find into the wp_options table at the MySQL database, the table that store the active_plugins and on it, find a “plugin” working with a image extension, that has any name, like your themes images or post images can you have uploaded, when you find them, don’t delete the lines at the MySQL database, but find the image/plugin in your directories accesing by ftp and download to your computer and open them with a Notepad or another plain text editor and then delete all the content -the content is like my old post showing up- and upload it again.

Then, try to access to your weblog using a google search. If the problem persist, find this “rss_f541b3abd05e7962fcab37737f40fad8” in the MySQL server and delete all the content that you have founded.

Attention: Doing this can get the widget rss support quite inestable, but them repair the exiting visitors leaving your webpage with the code.

Hi Moshu,
I’m sorry, I realize that in this particular case the O.P. was not running the newest version, but I have been hearing that others are getting hacked on 2.5.1… that’s how I ended up on this thread. I was just hoping that someone could verify.

And for the record, I think it would be great if the WordPress devs could continue to support older versions for just a little while. It would be great if I could pay someone to roll back security fixes into the 2.3 line for at least 6 months to 1 year, because I know some people are not anxious to upgrade to 2.5 just yet.

Well are they anxious to get hacked? You can’t have your cake and eat it too. Either roll back to 2.0.11 or move forward with the latest, greatest, most stable and secure, or risk being hacked. Those are the options.

I think the problem with stating that 2.5.1 was also hacked is that it’s quite possible (in fact, it’s probably highly likely) that the hack occurred BEFORE the upgrade and the hacked files were already present when the database was upgraded. Especially if the site owners were unaware that a hack had taken place when they performed the upgrade.

There are enough WP exploits out that at this point, that it’s a rather safe bet that any number of points of entry can result in a similar symptom.

if file A can be exploited ⊢ result C
if file B can be exploited ⊢ result C

Its the same result, just a different problem.

Result C doesnt necessarily mean that file A was exploited.

If you want a secure site, than you have to stay up on the upgrades, you have to make sure that you upgrade properly, you have to keep up on plugin upgrades, you have to have be mindful of file and directory permissions, etc..

And once compromised, the files should be wiped and replaced, the passwords should all be changed, the secret key should be changed, and the databse should be scoured for anything malicious.